Ali Yazdani
Principal Product Security Engineer
Experience
Jul 2024 - Dec 2024
6 months Germany
Principal Product Security Engineer
Payrails GmbH
- Define Payrails's security future plan to get more secure by using Shift-Left Security, CNAPP and DevSecOps principles
- Establish Threat Modeling for first-time in the company to have security as part of Payrails's design process
- Establish Vulnerability Management, as a regular process and activity to identify recently disclosed issues faster
- Improve Cloud and Containers security by adding more tools to get visibility and be able to manage issues
- Promote DevSecOps by implementing security steps as part of Payrails's CI/CD
- Work closely with developers and infra teams to make sure we have the same feeling about potential threats and vulnerabilities
- Collaborate with the info-sec team to make sure regulations and policies that Payrails's follow are in compliance
Oct 2023 - Jun 2024
9 months Germany
Principal DevSecOps Engineer
ScoutBee GmbH
- Defining Scoutbee's security strategies to make sure our product and services are secure and in compliance with the standards and regulations we are following
- Collaboration with development teams to implement best practices based on Secure Coding principles and define secure CI/CD guardrails to keep the development pipelines in the rail
- Collaborated with the infra/SRE team to identify security vulnerabilities and misconfigurations. Established IaC scanning, CNAPP, and Policy as Code for deployment on cloud providers to improve understanding and visibility
- Performing threat modeling and secure coding workshops to identify the threats and plan to fix them in the design and developing phase (Shift-left mindset) and promote a clutter of DevSecOps
Aug 2022 - Sep 2023
1 year 2 months Germany
Senior DevSecOps Engineer
ScoutBee GmbH
- Spearheaded the implementation of security-focused software development practices, including SAST, SCA, IaC, PaC, and DAST, in the CI/CD pipelines to enhance the security posture of applications and infrastructure for four main projects and reduce 20% costs and time of fixing security issues
- Prepared threat modeling exercises to identify security risks and vulnerabilities in software designs and implemented countermeasures to mitigate them before starting development, helping to cut 30% of potential issues
- Led and managed penetration testing and vulnerability management programs and coordinated with development and operations teams to prioritize and remediate issues to reduce time to resolve security vulnerabilities by 15% and improve the product's security level by at least 15%
- Initiated the shift-left strategy and the DevSecOps culture to have early detection and mitigation of security risks throughout the SDLC, by reducing 25% security risk in the SDLC process
- Performed security assessments and audits of applications, Applications, and infrastructure to maintain compliance with industry standards and regulations, such as ISO 27001, TISAX, SOC2, and GDPR
Feb 2022 - Jul 2022
6 months Germany
Senior Security Engineer
NewStrore GmbH
- Implemented application/API security measures, secure coding practices, and authentication/authorization mechanisms to ensure the security of applications and APIs by reducing 20% of the security risks
- Designed and executed security controls for cloud infrastructure to mitigate security risks in the cloud environment. To improve 50% AWS and 30% Kubernetes security level
- Led penetration testing and vulnerability management programs to identify and remediate vulnerabilities across applications, APIs, and infrastructure
- Conducted security assessments and audits of applications, APIs, and infrastructure to maintain compliance with industry standards and regulations, such as ISO 27001, SOC2, and GDPR
Sep 2021 - Feb 2022
6 months Germany
Engineering Lead DevSecOps
Henkel AG
- Executed DevSecOps technologies in the CI/CD pipelines to enhance applications and infrastructure security. I Integrated 65% of new services with DevSecOps technologies
- Accomplished threat modeling exercises to identify security issues in software designs and implementations. And design countermeasures to mitigate them to lessen service security risks
- Advocated the shift-left strategy and DevSecOps culture by initiating threat modeling and actively collaborating with DevOps teams to integrate security into the SDLC, promoting continuous improvement and security awareness
Jul 2019 - Aug 2021
2 years 2 months Germany
Senior Security Engineer
Raisin GmbH
- Conducted periodic and on-demand vulnerability assessments and penetration tests to identify and remediate security vulnerabilities across applications, APIs, and infrastructure
- Designed and evaluated cloud/hybrid infrastructure development leveraging Azure IaaS and PaaS, ensuring confidentiality, integrity, and availability of data and services
- Analyzed software designs, implementations, and infrastructure through threat modeling to identify security issues and design countermeasures, resulting in the improved security posture of applications and infrastructure
- Performed security testing and code review as part of the SDLC pipeline, promoting the shift-left strategy and DevSecOps culture, and implemented SAST, SCA, and DAST in the CI/CD pipelines to enhance the security of applications and infrastructure
- Collaborated with development, operations, and security teams to foster a culture of continuous improvement and security awareness, ensuring security was integrated into the DevOps processes and workflows
Jun 2018 - Apr 2019
11 months Iran, Islamic Republic of
Security Red Team Lead
MTN Irancell
- Conducted and managed regular vulnerability assessments and penetration testing programs on IT services to identify and remediate security vulnerabilities across networks, applications, and systems
- Worked closely with the DevOps team to find security issues and automate some test cases, promoting a culture of security awareness and continuous improvement
- Reviewed service architecture and performed threat modeling documents for significant services to identify security weaknesses and design countermeasures, ensuring the confidentiality, integrity, and availability of data and services
- Defined and enforced IT infrastructure security checklists for new and existing systems considering regulatory and industry standards, ensuring compliance and minimizing risk exposure
- Developed and implemented security tools and automation scripts to enhance the IT security process, improving the efficiency and effectiveness of the security team's operations and reducing human errors
Dec 2016 - Present
8 years 3 monthsSecurity Researcher
OWASP Foundation
- The OWASP DevSecOps guideline project leader
- The OWASP MSTG (Mobile Security Testing Guide) project contributor
Mar 2016 - Dec 2019
2 years 10 months Iran, Islamic Republic of
Penetration Tester
Atieh Dadeh Pardaz
- Conducted comprehensive web application penetration testing using tools such as Burp Suite, OWASP ZAP, and Nmap to identify security vulnerabilities, such as cross-site scripting (XSS), SQL injection, and insecure authentication mechanisms
- Conducted thorough penetration testing of mobile applications for iOS and Android platforms, using tools such as MobSF, APK Analyzer, and Frida, to identify security vulnerabilities, such as insecure data storage, improper authentication, and weak encryption
- Created detailed reports outlining the identified vulnerabilities, along with recommendations for remediation and risk mitigation, and presented these findings to development and management teams
Nov 2015 - May 2018
2 years 7 months Iran, Islamic Republic of
Security Engineer - Red Team
MTN Irancell
- Conducted and managed penetration testing and vulnerability assessment programs on IT services, including networks, systems, and applications, to identify security vulnerabilities and remediate them promptly
- Collaborated with the security team to design and implement security controls and countermeasures, including firewalls, intrusion detection/prevention systems, and security information and event management (SIEM) solutions, to protect against cyber threats and attacks
- Reviewed service architecture and performed threat modeling to identify potential security risks and vulnerabilities, designing and implementing mitigation strategies to ensure the confidentiality, integrity, and availability of data and services
- Contributed to the development and implementation of security policies, procedures, and standards based on regulatory and industry best practices, ensuring compliance and reducing the risk exposure of the organization
Apr 2013 - Oct 2015
2 years 7 months Iran, Islamic Republic of
Security Engineer
Ertebat Gostar
- Conducted penetration tests and vulnerability assessments to identify and report security weaknesses in client systems
- Provided consultation services to clients on improving system and network security measures
- Developed and implemented security dashboards to provide clients with real-time security monitoring and reporting capabilities
Mar 2008 - Mar 2013
5 years 1 month Iran, Islamic Republic of
Security Engineer
IDSco
- Conducted penetration tests and vulnerability assessments to identify and report security weaknesses in client systems
- Provided consultation services to clients on improving system and network security measures
- Developed and implemented security dashboards to provide clients with real-time security monitoring and reporting capabilities
Summary
I am a Security Engineer with a decade of experience in Telco, FinTech, Retail, and SaaS. My expertise includes security-focused software development practices, threat modeling, penetration testing, and vulnerability management.
I help companies adopt DevSecOps to produce more secure products with less effort and cost. I can communicate security concerns in a language that makes sense to both technical and non-technical departments.
As an active contributor to the global security community, I lead the OWASP DevSecOps Guideline project. I advocate for AppSec and DevSecOps, speaking at events to influence security in technology.
Languages
Persian
Native
English
Advanced
Education
Oct 2011 - Jun 2013
Jdeihe.ac.ir
Computer Software Engineering · Iran, Islamic Republic of
Oct 2006 - Jun 2009